CN115455440A - Transparent encryption method and device, electronic equipment and storage medium - Google Patents

Transparent encryption method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115455440A
CN115455440A CN202210906526.0A CN202210906526A CN115455440A CN 115455440 A CN115455440 A CN 115455440A CN 202210906526 A CN202210906526 A CN 202210906526A CN 115455440 A CN115455440 A CN 115455440A
Authority
CN
China
Prior art keywords
file
operation request
file system
virtual disk
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210906526.0A
Other languages
Chinese (zh)
Inventor
徐天骥
刘才军
郭彬
段江南
黄景平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Cloud Technology Co Ltd
Original Assignee
China Telecom Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Cloud Technology Co Ltd filed Critical China Telecom Cloud Technology Co Ltd
Priority to CN202210906526.0A priority Critical patent/CN115455440A/en
Publication of CN115455440A publication Critical patent/CN115455440A/en
Priority to PCT/CN2022/141882 priority patent/WO2024021496A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5011Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
    • G06F9/5016Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals the resource being the memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5011Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
    • G06F9/5022Mechanisms to release resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/007Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to the technical field of encryption, in particular to a transparent encryption method, a device, electronic equipment and a storage medium, wherein the method comprises the steps of obtaining an operation request of a target file, wherein the operation request carries attribute information of the target file; determining the type of the operation request based on the attribute information, wherein the type of the operation request comprises an authorized operation request or an unauthorized operation request; redirecting the operation request to a virtual disk file system or a real file system according to the type of the operation request, wherein the virtual disk file system is used for interacting with the real file system, the virtual disk file is used for caching the decrypted target file, and the real file system is used for storing the encrypted target file. The virtual disk file system realizes the isolation of two forms of the same target file, and the isolation is carried out based on the type of the operation request during redirection, thereby realizing the transparent encryption of double-file control and having the high performance and stability of a layered file system.

Description

透明加密方法、装置、电子设备及存储介质Transparent encryption method, device, electronic equipment and storage medium

技术领域technical field

本发明涉及加密技术领域,具体涉及透明加密方法、装置、电子设备及存储介质。The invention relates to the technical field of encryption, in particular to a transparent encryption method, device, electronic equipment and storage medium.

背景技术Background technique

透明加密是指在不改变用户操作习惯的前提下,对用户计算机上的文件进行保护。文件在被写入磁盘时进行加密;被读取时根据进程判断,对授权进程进行解密,而其他非授权进程不进行解密。这样既能支持用户日常编辑使用文件,又能防止用户将加密文件外发泄密,保障数据安全。Transparent encryption refers to the protection of files on the user's computer without changing the user's operating habits. The file is encrypted when it is written to the disk; when it is read, the authorized process is decrypted according to the judgment of the process, while other non-authorized processes are not decrypted. This can not only support users' daily editing and use of files, but also prevent users from leaking encrypted files and ensure data security.

发明内容Contents of the invention

有鉴于此,本发明实施例提供了一种透明加密方法、装置、电子设备及存储介质,以解决透明加密的问题。In view of this, embodiments of the present invention provide a transparent encryption method, device, electronic equipment, and storage medium to solve the problem of transparent encryption.

根据第一方面,本发明实施例提供了一种透明加密方法,包括:According to the first aspect, an embodiment of the present invention provides a transparent encryption method, including:

获取目标文件的操作请求,所述操作请求中携带有所述目标文件的属性信息;Obtaining an operation request of the target file, the operation request carrying attribute information of the target file;

基于所述属性信息确定所述操作请求的类型,所述操作请求的类型包括授权操作请求或非授权操作请求;determining the type of the operation request based on the attribute information, where the type of the operation request includes an authorized operation request or an unauthorized operation request;

根据所述操作请求的类型,将所述操作请求重定向至虚拟磁盘文件系统或真实文件系统,所述虚拟磁盘文件系统用于与真实文件系统进行交互,所述虚拟磁盘文件用于缓存解密后的所述目标文件,所述真实文件系统用于存储加密后的所述目标文件。According to the type of the operation request, redirect the operation request to the virtual disk file system or the real file system, the virtual disk file system is used to interact with the real file system, and the virtual disk file is used to cache the decrypted The target file, the real file system is used to store the encrypted target file.

本发明实施例提供的透明加密方法,通过虚拟磁盘文件系统实现了同一目标文件的两种形式的隔离,即,加密后的目标文件存储在真实文件系统中,解密后的目标文件缓存在虚拟磁盘文件系统中,具体在重定向时是基于操作请求的类型进行的,从而实现了双文件控制的透明加密,具备分层文件系统的高性能和稳定性。The transparent encryption method provided by the embodiment of the present invention realizes the isolation of two forms of the same target file through the virtual disk file system, that is, the encrypted target file is stored in the real file system, and the decrypted target file is cached in the virtual disk In the file system, the specific redirection is based on the type of operation request, thus realizing the transparent encryption of double file control, with the high performance and stability of the layered file system.

在一些实施方式中,所述根据所述操作请求的类型,将所述操作请求重定向至虚拟磁盘文件系统或真实文件系统,包括:In some implementation manners, the redirecting the operation request to a virtual disk file system or a real file system according to the type of the operation request includes:

当所述操作请求的类型为授权操作请求时,将所述操作请求重定向至所述虚拟磁盘文件系统;When the type of the operation request is an authorized operation request, redirecting the operation request to the virtual disk file system;

基于所述虚拟磁盘文件系统对所述操作请求进行明文处理。The operation request is processed in plain text based on the virtual disk file system.

本发明实施例提供的透明加密方法,只有在确定出操作请求的类型为授权操作请求时,才会将操作请求重定向至虚拟磁盘文件系统,保证明文数据的可靠性。The transparent encryption method provided by the embodiment of the present invention redirects the operation request to the virtual disk file system only when it is determined that the type of the operation request is an authorized operation request, so as to ensure the reliability of plaintext data.

在一些实施方式中,所述虚拟磁盘文件系统包括虚拟磁盘以及加密文件系统,所述虚拟磁盘用于挂载所述加密文件系统,所述加密文件系统用于从所述真实文件系统读取加密后的所述目标文件进行解密。In some implementations, the virtual disk file system includes a virtual disk and an encrypted file system, the virtual disk is used to mount the encrypted file system, and the encrypted file system is used to read encrypted files from the real file system After the target file is decrypted.

本发明实施例提供的透明加密方法,加密文件系统维护的影子文件和真实文件系统维护的文件实际对应同一个物理磁盘文件,影子文件访问明文,真实文件系统访问密文,具备高性能和高稳定性。采用重定向机制将操作请求转发到虚拟磁盘,与杀毒软件兼容,防止透传影子文件的操作请求到真实文件系统后导致蓝屏等。In the transparent encryption method provided by the embodiment of the present invention, the shadow file maintained by the encrypted file system and the file maintained by the real file system actually correspond to the same physical disk file, the shadow file accesses plaintext, and the real file system accesses ciphertext, with high performance and high stability sex. The redirection mechanism is used to forward the operation request to the virtual disk, which is compatible with anti-virus software and prevents the blue screen caused by the operation request of the transparent transmission shadow file to the real file system.

在一些实施方式中,所述基于所述虚拟磁盘文件系统对所述目标文件进行明文操作,包括:In some implementation manners, the plaintext operation of the target file based on the virtual disk file system includes:

读取所述虚拟磁盘中的影子文件,以获得加密后的所述目标文件在所述真实文件系统中的访问路径;Read the shadow file in the virtual disk to obtain the encrypted access path of the target file in the real file system;

基于所述访问路径从所述真实文件系统中读取加密后的所述目标文件;reading the encrypted target file from the real file system based on the access path;

利用加密文件系统对加密后的所述目标文件进行解密,并利用所述影子文件对解密结果进行缓存,以对所述目标文件进行明文操作。The encrypted file system is used to decrypt the encrypted target file, and the shadow file is used to cache the decryption result, so as to perform plaintext operations on the target file.

本发明实施例提供的透明加密方法,在影子文件中存储加密后的目标文件在真实文件系统中的访问路径,只有在接收到操作请求时才利用该访问路径进行加密后的目标文件的读取与解密,通过读取时机的限制,能够减少不必要的内存开销。In the transparent encryption method provided by the embodiment of the present invention, the access path of the encrypted target file in the real file system is stored in the shadow file, and only when an operation request is received, the access path is used to read the encrypted target file With decryption, unnecessary memory overhead can be reduced by limiting the timing of reading.

在一些实施方式中,所述读取所述虚拟磁盘中的影子文件,以获得加密后的所述目标文件在所述真实文件系统中的访问路径,包括:In some implementation manners, the reading the shadow file in the virtual disk to obtain the encrypted access path of the target file in the real file system includes:

当获取到所述目标文件的授权打开请求时,在所述虚拟磁盘中创建影子文件;When obtaining the authorization opening request of the target file, creating a shadow file in the virtual disk;

在所述影子文件中记录加密后的所述目标文件在所述真实文件系统中的访问路径。An access path of the encrypted target file in the real file system is recorded in the shadow file.

在一些实施方式中,所述方法还包括:In some embodiments, the method also includes:

当获取到所述目标文件的授权关闭请求时,在所述虚拟磁盘中清除所述影子文件。When the authorization closing request of the target file is obtained, the shadow file is cleared in the virtual disk.

本发明实施例提供的透明加密方法,影子文件是依据需求创建,且依据需求清除的,能够及时释放内存空间,减少内存消耗。In the transparent encryption method provided by the embodiment of the present invention, shadow files are created and cleared according to requirements, which can release memory space in time and reduce memory consumption.

在一些实施方式中,所述方法还包括:In some embodiments, the method also includes:

当所述操作请求为非授权操作请求时,将所述操作请求重定向至所述真实文件系统;When the operation request is an unauthorized operation request, redirecting the operation request to the real file system;

基于所述真实文件系统对所述目标文件进行密文操作。A ciphertext operation is performed on the target file based on the real file system.

本发明实施例提供的透明加密方法,对于非授权操作请求,就直接将操作请求重定向至真实文件系统中进行密文操作,提高了目标文件的安全性。In the transparent encryption method provided by the embodiment of the present invention, for an unauthorized operation request, the operation request is directly redirected to the real file system for ciphertext operation, which improves the security of the target file.

根据第二方面,本发明实施例还提供了一种透明加密装置,包括:According to the second aspect, an embodiment of the present invention also provides a transparent encryption device, including:

获取模块,用于获取目标文件的操作请求,所述操作请求中携带有所述目标文件的属性信息;An acquisition module, configured to acquire an operation request of a target file, wherein the operation request carries attribute information of the target file;

确定模块,用于基于所述属性信息确定所述操作请求的类型,所述操作请求的类型包括授权操作请求或非授权操作请求;A determining module, configured to determine the type of the operation request based on the attribute information, where the type of the operation request includes an authorized operation request or an unauthorized operation request;

重定向模块,用于根据所述操作请求的类型,将所述操作请求重定向至虚拟磁盘文件系统或真实文件系统,所述虚拟磁盘文件系统用于与真实文件系统进行交互,所述虚拟磁盘文件用于缓存解密后的所述目标文件,所述真实文件系统用于存储加密后的所述目标文件。A redirection module, configured to redirect the operation request to a virtual disk file system or a real file system according to the type of the operation request, the virtual disk file system is used to interact with the real file system, and the virtual disk The file is used to cache the decrypted target file, and the real file system is used to store the encrypted target file.

根据第三方面,本发明实施例提供了一种电子设备,包括:存储器和处理器,所述存储器和所述处理器之间互相通信连接,所述存储器中存储有计算机指令,所述处理器通过执行所述计算机指令,从而执行第一方面或者第一方面的任意一种实施方式中所述的透明加密方法。According to a third aspect, an embodiment of the present invention provides an electronic device, including: a memory and a processor, the memory and the processor are connected to each other in communication, the memory stores computer instructions, and the processor By executing the computer instructions, the transparent encryption method described in the first aspect or any implementation manner of the first aspect is executed.

根据第四方面,本发明实施例提供了一种计算机可读存储介质,所述计算机可读存储介质存储计算机指令,所述计算机指令用于使所述计算机执行第一方面或者第一方面的任意一种实施方式中所述的透明加密方法。According to a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, the computer-readable storage medium stores computer instructions, and the computer instructions are used to enable the computer to execute any of the first aspect or the first aspect. A transparent encryption method described in an implementation manner.

附图说明Description of drawings

为了更清楚地说明本发明具体实施方式或现有技术中的技术方案,下面将对具体实施方式或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施方式,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the specific implementation of the present invention or the technical solutions in the prior art, the following will briefly introduce the accompanying drawings that need to be used in the specific implementation or description of the prior art. Obviously, the accompanying drawings in the following description The drawings show some implementations of the present invention, and those skilled in the art can obtain other drawings based on these drawings without any creative work.

图1示出了基于分层文件系统的透明加密示意图;Figure 1 shows a schematic diagram of transparent encryption based on a layered file system;

图2是根据本发明实施例的透明加密方法的流程图;Fig. 2 is a flowchart of a transparent encryption method according to an embodiment of the present invention;

图3是根据本发明实施例的透明加密方法的流程图;Fig. 3 is a flowchart of a transparent encryption method according to an embodiment of the present invention;

图4是根据本发明实施例的透明加密方法的示意图;Fig. 4 is a schematic diagram of a transparent encryption method according to an embodiment of the present invention;

图5是根据本发明实施例的透明加密方法的示意图;5 is a schematic diagram of a transparent encryption method according to an embodiment of the present invention;

图6是根据本发明实施例的透明加密装置的结构框图;Fig. 6 is a structural block diagram of a transparent encryption device according to an embodiment of the present invention;

图7是本发明实施例提供的电子设备的硬件结构示意图。FIG. 7 is a schematic diagram of a hardware structure of an electronic device provided by an embodiment of the present invention.

具体实施方式detailed description

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without making creative efforts belong to the protection scope of the present invention.

一般透明加密是基于windows内核层实现,通过在内核层对打开关闭、读写文件等请求进行过滤,根据不同进程的权限和文件类型决定是否进行加解密。然而,由于windows操作系统存在缓存机制,在开启缓存机制的状态下,不同进程读写同一个文件实际上是读写同一份文件缓存。授权进程需要访问明文,而非授权进程需要访问密文,这就导致两类进程交替操作同一个加密文件时,需要进行缓存切换。但是这类方法不仅降低了性能,频繁清缓存还可能损坏文件。Generally, transparent encryption is implemented based on the windows kernel layer. By filtering requests for opening and closing, reading and writing files, etc. at the kernel layer, it is determined whether to encrypt and decrypt according to the permissions and file types of different processes. However, due to the caching mechanism of the Windows operating system, when the caching mechanism is enabled, different processes reading and writing the same file are actually reading and writing the same file cache. The authorized process needs to access the plaintext, while the non-authorized process needs to access the ciphertext, which leads to the need for cache switching when the two types of processes alternately operate the same encrypted file. However, such methods not only reduce performance, but frequent cache clearing may also damage files.

进一步地,基于分层文件系统(即,layerfsd)的双缓存方案为了解决性能问题而存在的。所谓分层文件系统,就是将传统加密过滤驱动扩展为一个半过滤驱动半文件系统,加密驱动不仅过滤文件读写请求,还与windows io管理器、缓存管理器、内核管理器进行交互,为同一个磁盘文件建立维护两个文件控制块(file control block,简称为FCB),建立两份缓存。这样授权进程和非授权进程相当于访问两个文件,互不干扰,解决了性能问题,稳定性也有所提高。然而layerfsd并不是真正的文件系统,而与杀毒软件同属同一层面的过滤驱动。为了防止某些恶意软件也采用过滤文件操作的方法威胁用户数据,杀毒软件可以在上层拦截到用户读写请求后,直接获取当前磁盘的文件系统驱动设备,将用户数据透传到底层文件系统,从而绕过中间所有的过滤驱动层,包括分层文件系统驱动。这不仅会导致加密文件数据出错,而且由于下层文件系统接受到了一个并非它自身创建的FCB,更有可能导致计算机崩溃蓝屏。Furthermore, a double-caching solution based on a layered file system (ie, layerfsd) exists to solve performance problems. The so-called hierarchical file system is to expand the traditional encrypted filter driver into a half-filter driver and half-file system. The encrypted driver not only filters file read and write requests, but also interacts with windows io manager, cache manager, and kernel manager. A disk file is created and maintained with two file control blocks (FCB for short), and two caches are established. In this way, the authorized process and the unauthorized process are equivalent to accessing two files without interfering with each other, which solves the performance problem and improves the stability. However, layerfsd is not a real file system, but a filter driver at the same level as antivirus software. In order to prevent some malicious software from threatening user data by filtering file operations, the antivirus software can directly obtain the file system drive device of the current disk after intercepting user read and write requests at the upper layer, and transparently transmit user data to the underlying file system. This bypasses all intermediate filter driver layers, including layered filesystem drivers. Not only will this cause errors in the encrypted file data, but it is more likely to cause the computer to crash and blue screen because the underlying file system receives an FCB that it did not create itself.

例如,如图1所示,基于分层文件系统的技术虽然实现了所有文件系统接口,但并没有注册为真正的文件系统,其本质仍然是文件过滤驱动,与真实文件系统挂载在同一个卷设备上。因此,如果某些杀毒软件或者恶意软件同样采用文件过滤驱动的方式,将影子FCB的访问请求过滤,通过访问请求获取到底层文件系统设备,然后将访问请求直接发送到底层文件系统,文件系统接收到一个不属于自己维护的FCB,去读写相关数据就很可能导致系统直接崩溃。For example, as shown in Figure 1, although the layered file system-based technology implements all file system interfaces, it is not registered as a real file system. Its essence is still a file filter driver, which is mounted on the same file system as the real file system. volume device. Therefore, if some antivirus software or malicious software also uses the file filtering driver method to filter the access requests of the shadow FCB, obtain the underlying file system device through the access request, and then directly send the access request to the underlying file system, the file system receives If you go to an FCB that is not maintained by yourself, reading and writing related data may cause the system to crash directly.

本发明实施例提供的透明加密方法,先确定操作请求的类型,再依据操作请求的类型将其重定向至虚拟磁盘文件系统或真实文件系统,实现解密后的目标文件与加密后的目标文件的分别存储与维护。即,该方法实现了双文件控制的透明加密,具备分层文件系统的高性能和稳定性。The transparent encryption method provided by the embodiment of the present invention first determines the type of the operation request, and then redirects it to the virtual disk file system or the real file system according to the type of the operation request, so as to realize the encryption of the decrypted target file and the encrypted target file Store and maintain separately. That is, the method realizes the transparent encryption of double-file control, and has the high performance and stability of a layered file system.

进一步地,本发明实施例提供的透明加密方法,还能解决与杀毒软件的兼容性问题。在本发明实施例中,由于加密文件系统注册为真正的文件系统并挂载到虚拟磁盘,即使杀毒软件等过滤到影子FCB的访问请求,通过访问请求获取到的卷设备仍然是虚拟磁盘卷,发送的访问请求最终仍然由加密文件系统处理,可以正常透明加解密。Furthermore, the transparent encryption method provided by the embodiment of the present invention can also solve the problem of compatibility with antivirus software. In the embodiment of the present invention, since the encrypted file system is registered as a real file system and mounted to the virtual disk, even if the antivirus software and the like filter the access request of the shadow FCB, the volume device obtained through the access request is still a virtual disk volume. The sent access request is finally processed by the encrypted file system, which can be encrypted and decrypted normally and transparently.

根据本发明实施例,提供了一种透明加密方法实施例,需要说明的是,在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。According to an embodiment of the present invention, an embodiment of a transparent encryption method is provided. It should be noted that the steps shown in the flowcharts of the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions, and, although in The flowcharts show a logical order, but in some cases the steps shown or described may be performed in an order different from that shown or described herein.

在本实施例中提供了一种透明加密方法,可用于电子设备,如终端、服务器等,图2是根据本发明实施例的透明加密方法的流程图,如图2所示,该流程包括如下步骤:In this embodiment, a transparent encryption method is provided, which can be used in electronic devices, such as terminals, servers, etc. FIG. 2 is a flowchart of a transparent encryption method according to an embodiment of the present invention. As shown in FIG. 2, the process includes the following step:

S11,获取目标文件的操作请求。S11, acquiring an operation request of a target file.

其中,所述操作请求中携带有目标文件的属性信息。Wherein, the operation request carries attribute information of the target file.

操作请求包括但不限于对目标文件的修改、删除、复制等操作,具体根据实际需求进行设置,在此对其并不做任何限定。该操作请求是在打开请求之后,对目标文件进行具体处理操作时发出的请求。其中,属性信息包括目标文件的文件信息以及进程信息,文件信息包括对目标文件的操作信息,即具体执行哪些操作,进程信息表示当前是哪个进程访问的。Operation requests include but are not limited to operations such as modifying, deleting, and copying target files, which are specifically set according to actual needs, and are not limited here. The operation request is a request sent when a specific processing operation is performed on the target file after the opening request. Wherein, the attribute information includes file information and process information of the target file, the file information includes operation information on the target file, that is, which operations are specifically performed, and the process information indicates which process currently accesses it.

S12,基于属性信息确定操作请求的类型。S12. Determine the type of the operation request based on the attribute information.

其中,所述操作请求的类型包括授权操作请求或非授权操作请求。Wherein, the type of the operation request includes an authorized operation request or an unauthorized operation request.

在电子设备中配置有具有授权操作的文件及其对应的进程,以及非授权操作的文件及其进程的标识。在获取到属性信息之后,利用属性信息中的文件信息进行匹配,确定出该文件对应的授权进程;再利用进程信息与授权进程进行匹配,确定出该操作请求的类型。例如,将对文档或表格对应的进程确定为授权进程,将消息外发对应的进程确定为非授权进程。Files with authorized operations and their corresponding processes, and identifications of files with unauthorized operations and their processes are configured in the electronic device. After the attribute information is obtained, match the file information in the attribute information to determine the authorization process corresponding to the file; then use the process information to match the authorization process to determine the type of the operation request. For example, a process corresponding to a document or a form is determined as an authorized process, and a process corresponding to outgoing messages is determined as an unauthorized process.

S13,根据操作请求的类型,将操作请求重定向至虚拟磁盘文件系统或真实文件系统。S13. According to the type of the operation request, redirect the operation request to the virtual disk file system or the real file system.

所述虚拟磁盘文件系统用于与真实文件系统进行交互,所述虚拟磁盘文件用于缓存解密后的所述目标文件,所述真实文件系统用于存储加密后的所述目标文件。The virtual disk file system is used to interact with the real file system, the virtual disk file is used to cache the decrypted target file, and the real file system is used to store the encrypted target file.

通过配置虚拟磁盘文件系统,实现与真实文件系统的隔离。且在真实文件系统中存储的是加密后的目标文件,对于加密后的目标文件的解密操作是通过虚拟磁盘文件系统实现的,因此,虚拟磁盘文件系统用于缓存解密后的目标文件。By configuring the virtual disk file system, the isolation from the real file system is realized. Moreover, the encrypted target file is stored in the real file system, and the decryption operation of the encrypted target file is realized through the virtual disk file system. Therefore, the virtual disk file system is used for caching the decrypted target file.

在确定出操作请求的类型之后,将操作请求重定向至授权操作请求或非授权操作请求对应的文件系统。其中,授权操作请求与虚拟磁盘文件系统对应,非授权操作请求与真实文件系统对应。对于授权操作请求而言,其可以访问解密后的目标文件,并依据操作请求对解密后的目标文件进行相应的处理;对于非授权操作请求而言,其仅能够访问加密后的目标文件,所有的操作均是对加密后的目标文件进行处理的。After the type of the operation request is determined, the operation request is redirected to the file system corresponding to the authorized operation request or the unauthorized operation request. Wherein, the authorized operation request corresponds to the virtual disk file system, and the unauthorized operation request corresponds to the real file system. For an authorized operation request, it can access the decrypted target file and process the decrypted target file accordingly; for an unauthorized operation request, it can only access the encrypted target file, and all The operation is to process the encrypted target file.

本实施例提供的透明加密方法,通过虚拟磁盘文件系统实现了同一目标文件的两种形式的隔离,即,加密后的目标文件存储在真实文件系统中,解密后的目标文件缓存在虚拟磁盘文件系统中,具体在重定向时是基于操作请求的类型进行的,从而实现了双文件控制的透明加密,具备分层文件系统的高性能和稳定性。The transparent encryption method provided by this embodiment realizes the isolation of two forms of the same target file through the virtual disk file system, that is, the encrypted target file is stored in the real file system, and the decrypted target file is cached in the virtual disk file. In the system, the specific redirection is based on the type of operation request, thus realizing the transparent encryption of double file control, and having the high performance and stability of a layered file system.

在本实施例中提供了一种透明加密方法,可用于电子设备,如终端、服务器等,图3是根据本发明实施例的透明加密方法的流程图,如图3所示,该流程包括如下步骤:In this embodiment, a transparent encryption method is provided, which can be used in electronic devices, such as terminals, servers, etc. FIG. 3 is a flowchart of a transparent encryption method according to an embodiment of the present invention. As shown in FIG. 3, the process includes the following step:

S21,获取目标文件的操作请求。S21. Obtain an operation request of the target file.

其中,所述操作请求中携带有目标文件的属性信息。Wherein, the operation request carries attribute information of the target file.

详细请参见图2所示实施例的S11,在此不再赘述。For details, refer to S11 in the embodiment shown in FIG. 2 , and details are not repeated here.

S22,基于属性信息确定操作请求的类型。S22. Determine the type of the operation request based on the attribute information.

其中,所述操作请求的类型包括授权操作请求或非授权操作请求。Wherein, the type of the operation request includes an authorized operation request or an unauthorized operation request.

详细请参见图2所示实施例的S12,在此不再赘述。For details, refer to S12 in the embodiment shown in FIG. 2 , and details are not repeated here.

S23,根据操作请求的类型,将操作请求重定向至虚拟磁盘文件系统或真实文件系统。S23. According to the type of the operation request, redirect the operation request to the virtual disk file system or the real file system.

所述虚拟磁盘文件系统用于与真实文件系统进行交互,所述虚拟磁盘文件用于缓存解密后的所述目标文件,所述真实文件系统用于存储加密后的所述目标文件。The virtual disk file system is used to interact with the real file system, the virtual disk file is used to cache the decrypted target file, and the real file system is used to store the encrypted target file.

在一些实施方式中,虚拟磁盘文件系统包括虚拟磁盘以及加密文件系统,虚拟磁盘用于挂载加密文件系统,加密文件系统用于从真实文件系统读取加密后的目标文件进行解密。虚拟磁盘使用内存盘实现,提供一个类沙箱的环境,用于挂载加密文件系统,并对用户隐藏。加密文件系统挂载到虚拟磁盘,其对上层实现了所有文件系统接口,不仅处理上层读写等操作,还与windows内存管理器、缓存管理器交互,维护影子文件和加密明文缓存。对下层在读写磁盘数据时与加密后的目标文件所在的真实文件系统进行交互,处理数据的加解密以及加密标记的隐藏等。In some implementations, the virtual disk file system includes a virtual disk and an encrypted file system, the virtual disk is used to mount the encrypted file system, and the encrypted file system is used to read encrypted target files from the real file system for decryption. Virtual disks are implemented using RAM disks, providing a sandbox-like environment for mounting encrypted file systems and hiding them from users. The encrypted file system is mounted to the virtual disk, which implements all file system interfaces to the upper layer, not only handles upper layer read and write operations, but also interacts with the windows memory manager and cache manager to maintain shadow files and encrypted plaintext caches. When the lower layer reads and writes disk data, it interacts with the real file system where the encrypted target file is located, and handles the encryption and decryption of data and the hiding of encryption marks.

为实现对操作请求的重定向处理,通过封装的重定向模块实现重定向。例如,采用微过滤框架编写的文件过滤驱动,挂载到电子设备的每个磁盘卷上。文件操作通过IO管理器构造的操作请求在内核驱动设备栈中传递。挂载后的文件过滤驱动可以截获当前磁盘卷上所有的操作请求,而操作请求内包含了本次文件操作的信息。重定向模块根据拦截到的操作请求中的文件信息和进程信息,可以确定是否将该文件访问请求重定向到虚拟磁盘文件系统,实现授权进程与非授权进程访问两个文件。In order to realize the redirection processing of the operation request, the redirection is implemented through the encapsulated redirection module. For example, a file filter driver written using the microfilter framework is mounted on each disk volume of the electronic device. The file operation is transmitted in the kernel driver device stack through the operation request constructed by the IO manager. The mounted file filter driver can intercept all operation requests on the current disk volume, and the operation requests include the information of this file operation. According to the file information and process information in the intercepted operation request, the redirection module can determine whether to redirect the file access request to the virtual disk file system, so that the authorized process and the unauthorized process can access two files.

加密文件系统维护的影子文件和真实文件系统维护的文件实际对应同一个物理磁盘文件,影子文件用于对解密后的数据进行缓存,即影子文件访问明文,真实文件系统访问密文,具备高性能和高稳定性。采用重定向机制将操作请求转发到虚拟磁盘,与杀毒软件兼容,防止透传影子文件的操作请求到真实文件系统后导致蓝屏等。The shadow files maintained by the encrypted file system and the files maintained by the real file system actually correspond to the same physical disk file. The shadow file is used to cache the decrypted data, that is, the shadow file accesses the plaintext, and the real file system accesses the ciphertext, with high performance. and high stability. The redirection mechanism is used to forward the operation request to the virtual disk, which is compatible with anti-virus software and prevents the blue screen caused by the operation request of the transparent transmission shadow file to the real file system.

基于此,上述S23包括:Based on this, the above S23 includes:

S231,当操作请求的类型为授权操作请求时,将操作请求重定向至虚拟磁盘文件系统。S231. When the type of the operation request is an authorized operation request, redirect the operation request to the virtual disk file system.

S232,基于虚拟磁盘文件系统对操作请求进行明文处理。S232. Perform plaintext processing on the operation request based on the virtual disk file system.

在操作请求的类型为授权操作请求时,利用上述的重定向模块将该操作请求重定性至虚拟磁盘文件系统,由于虚拟磁盘文件系统中的影子文件访问的是明文,因此,在虚拟磁盘文件系统中对该操作请求进行明文处理。When the type of the operation request is an authorized operation request, use the above-mentioned redirection module to redirect the operation request to the virtual disk file system. Since the shadow files in the virtual disk file system access plain text, therefore, in the virtual disk file system The operation request is processed in plain text.

在一些实施方式中,上述S232包括:In some implementations, the above S232 includes:

(1)读取虚拟磁盘中的影子文件,以获得加密后的目标文件在真实文件系统中的访问路径。(1) Read the shadow file in the virtual disk to obtain the access path of the encrypted target file in the real file system.

(2)基于访问路径从真实文件系统中读取加密后的目标文件。(2) Read the encrypted target file from the real file system based on the access path.

(3)利用加密文件系统对加密后的目标文件进行解密,并利用影子文件对解密结果进行缓存,以对目标文件进行明文操作。(3) Use the encrypted file system to decrypt the encrypted target file, and use the shadow file to cache the decryption result to perform plaintext operations on the target file.

影子文件中用于存储加密后的目标文件在真实文件系统中的访问路径,当存在对该目标文件的操作需求时,利用影子文件中记载的访问路径从真实文件系统中读取加密后的目标文件。再利用加密文件系统对加密后的目标文件进行解密,得到解密后的目标文件。利用影子文件对解密后的目标文件进行缓存,基于此,对于操作请求的具体处理而言,就能够对影子文件中缓存的明文数据进行处理。The shadow file is used to store the access path of the encrypted target file in the real file system. When there is an operation requirement for the target file, the encrypted target is read from the real file system using the access path recorded in the shadow file document. Then, the encrypted file system is used to decrypt the encrypted target file to obtain the decrypted target file. The decrypted target file is cached by using the shadow file. Based on this, for the specific processing of the operation request, the plaintext data cached in the shadow file can be processed.

在影子文件中存储加密后的目标文件在真实文件系统中的访问路径,只有在接收到操作请求时才利用该访问路径进行加密后目标文件的读取与解密,通过读取时机的限制,能够减少不必要的内存开销。The access path of the encrypted target file in the real file system is stored in the shadow file. Only when an operation request is received, the access path is used to read and decrypt the encrypted target file. By limiting the timing of reading, it can Reduce unnecessary memory overhead.

在一些实施方式中,上述S232的步骤(1)包括:In some embodiments, step (1) of the above S232 includes:

1.1)当获取到目标文件的授权打开请求时,在虚拟磁盘中创建影子文件。1.1) When the authorization opening request of the target file is obtained, a shadow file is created in the virtual disk.

1.2)在影子文件中记录加密后的目标文件在真实文件系统中的访问路径。1.2) Record the access path of the encrypted target file in the real file system in the shadow file.

对于影子文件而言,在获取到目标文件的授权打开请求时,才在虚拟磁盘中创建该影子文件,并对影子文件进行初始化,同时记录加密后的目标文件在真实文件系统中的访问路径。此时,对于影子文件而言,记录的仅仅是访问路径,而不涉及到加密后的目标文件的具体内容。如上文所述,仅仅是在接收到授权操作请求之后,才会利用访问路径从真实文件系统中拉取加密后的目标文件,利用加密文件系统对其进行解密后缓存在影子文件中的。For the shadow file, the shadow file is created in the virtual disk when the authorization opening request of the target file is obtained, the shadow file is initialized, and the access path of the encrypted target file in the real file system is recorded. At this time, for the shadow file, only the access path is recorded, and the specific content of the encrypted target file is not involved. As mentioned above, only after receiving the authorization operation request, the encrypted target file will be pulled from the real file system by using the access path, decrypted by the encrypted file system and cached in the shadow file.

在另一些实施方式中,该方法还包括:当获取到目标文件的授权关闭请求时,在虚拟磁盘中清除影子文件。在使用完成之后,在虚拟磁盘中自动清除影子文件。影子文件是依据需求创建,且依据需求清除的,能够及时释放内存空间,减少内存消耗。In some other implementation manners, the method further includes: clearing the shadow file in the virtual disk when the authorization closing request of the target file is obtained. Automatically clear shadow files in the virtual disk after use is complete. Shadow files are created and cleared according to requirements, which can release memory space in time and reduce memory consumption.

本实施例提供的透明加密方法,只有在确定出操作请求的类型为授权操作请求时,才会将操作请求重定向至虚拟磁盘文件系统,保证明文数据的可靠性。The transparent encryption method provided in this embodiment redirects the operation request to the virtual disk file system only when it is determined that the type of the operation request is an authorized operation request, so as to ensure the reliability of plaintext data.

在另一些实施方式中,该方法还可以包括:In other embodiments, the method may also include:

(1)当操作请求为非授权操作请求时,将操作请求重定向至真实文件系统。(1) When the operation request is an unauthorized operation request, redirect the operation request to the real file system.

(2)基于真实文件系统对目标文件进行密文操作。(2) Perform ciphertext operations on the target file based on the real file system.

对于非授权操作请求,就直接将操作请求重定向至真实文件系统中进行密文操作,提高了目标文件的安全性。For unauthorized operation requests, the operation requests are directly redirected to the real file system for ciphertext operations, which improves the security of the target files.

如图4所示,当操作应用程序时,生成一个操作请求(IRP),重定向模块对该IRP的类型进行确定。对于授权进程,将该IRP重定向到虚拟磁盘文件系统;对于非授权进程,直接将该IRP重定向至真实文件系统。其中,在虚拟磁盘文件系统中包括有加密文件系统以及虚拟磁盘,加密文件系统中维护了影子FCB,也可以称之为影子文件,在影子文件中存储有访问路径,利用该访问路径从真实文件系统中读取真实FCB文件数据,此时读取到的真实文件FCB数据是加密数据,通过加密文件系统对其进行解密后缓存在影子文件中。As shown in Fig. 4, when an application program is operated, an operation request (IRP) is generated, and the redirection module determines the type of the IRP. For an authorized process, redirect the IRP to the virtual disk file system; for an unauthorized process, directly redirect the IRP to the real file system. Among them, the virtual disk file system includes an encrypted file system and a virtual disk, and a shadow FCB is maintained in the encrypted file system, which can also be called a shadow file, and an access path is stored in the shadow file. The real FCB file data is read in the system, and the real file FCB data read at this time is encrypted data, which is decrypted by the encrypted file system and cached in the shadow file.

作为一个具体应用实例,如图5所示,以第一次打开加密文件为例,具体工作流程为:As a specific application example, as shown in Figure 5, taking the first time to open an encrypted file as an example, the specific workflow is as follows:

(1)用户使用文档编辑程序打开D:\1.doc文件,文档编辑程序调用创建文件系统应用接口触发系统调用,IO管理器解析参数后构建包含打开操作信息的打开请求,将其发送到D盘的文件系统设备栈,设备栈上面有重定向模块、杀毒软件、文件系统等,会依次对访问请求进行处理。(1) The user uses a document editing program to open the D:\1.doc file, and the document editing program calls the create file system application interface to trigger a system call. After parsing the parameters, the IO manager constructs an open request containing the opening operation information and sends it to D The file system device stack of the disk, on which there are redirection modules, anti-virus software, file systems, etc., will process access requests in sequence.

(2)设备栈上挂载的重定向模块过滤到打开请求,根据打开请求获取进程信息和文件信息,与当前加密的策略进行匹配。对于授权进程,将其重定向到虚拟磁盘。(2) The redirection module mounted on the device stack filters the open request, obtains process information and file information according to the open request, and matches with the current encryption policy. For the authorization process, redirect it to the virtual disk.

(3)虚拟磁盘上挂载的加密文件系统收到打开操作的打开请求,基于打开请求内的文件信息,加密文件系统向D盘的文件系统设备栈发送打开1.doc的请求并等待处理结果。其中,处理结果包括打开失败,或打开成功。虚拟磁盘在接收到处理结果后创建影子文件,初始化影子文件中的成员数据,并在影子文件中记录真实文件路径,将处理结果返回给IO管理器和上层应用。(3) The encrypted file system mounted on the virtual disk receives an open request for an open operation. Based on the file information in the open request, the encrypted file system sends a request to open 1.doc to the file system device stack of the D drive and waits for the processing result . Wherein, the processing result includes opening failure or opening success. After receiving the processing result, the virtual disk creates a shadow file, initializes the member data in the shadow file, records the real file path in the shadow file, and returns the processing result to the IO manager and the upper application.

(4)文档编辑程序收到处理结果和文件句柄,文件句柄指向的文件已被重定向到虚拟磁盘中的影子文件,后续文件操作的操作请求直接被发送到加密文件系统中处理。(4) The document editing program receives the processing result and the file handle, and the file pointed to by the file handle has been redirected to the shadow file in the virtual disk, and the operation request for subsequent file operations is directly sent to the encrypted file system for processing.

(5)如果非授权进程访问D:\1.doc,重定向模块直接将操作请求下发到D:\盘的真实文件系统,访问的是由真实文件系统维护的真实文件,即加密文件。(5) If an unauthorized process accesses D:\1.doc, the redirection module directly sends the operation request to the real file system of the D:\ disk, and what is accessed is a real file maintained by the real file system, that is, an encrypted file.

通过建立影子文件实现了授权进程和非授权进程访问的隔离,对于文档编辑程序后续的读写等操作,加密文件系统收到操作请求后,从真实文件系统处读取文件密文数据,并将数据解密后返回给文档编辑程序;写操作时将文档编辑程序的明文数据加密后发送给真实文件系统,实现透明加解密。By establishing a shadow file, the access isolation between authorized process and unauthorized process is realized. For the subsequent read and write operations of the document editing program, after receiving the operation request, the encrypted file system reads the file ciphertext data from the real file system, and The data is decrypted and returned to the document editing program; during the write operation, the plaintext data of the document editing program is encrypted and sent to the real file system to realize transparent encryption and decryption.

在本实施例中还提供了一种透明加密装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。In this embodiment, a transparent encryption device is also provided, which is used to implement the above embodiments and preferred implementation modes, and what has already been described will not be repeated. As used below, the term "module" may be a combination of software and/or hardware that realizes a predetermined function. Although the devices described in the following embodiments are preferably implemented in software, implementations in hardware, or a combination of software and hardware are also possible and contemplated.

本实施例提供一种透明加密装置,如图6所示,包括:This embodiment provides a transparent encryption device, as shown in Figure 6, including:

获取模块41,用于获取目标文件的操作请求,所述操作请求中携带有所述目标文件的属性信息;An acquisition module 41, configured to acquire an operation request of a target file, wherein the operation request carries attribute information of the target file;

确定模块42,用于基于所述属性信息确定所述操作请求的类型,所述操作请求的类型包括授权操作请求或非授权操作请求;A determining module 42, configured to determine the type of the operation request based on the attribute information, where the type of the operation request includes an authorized operation request or an unauthorized operation request;

重定向模块43,用于根据所述操作请求的类型,将所述操作请求重定向至虚拟磁盘文件系统或真实文件系统,所述虚拟磁盘文件系统用于与真实文件系统进行交互,所述虚拟磁盘文件用于缓存解密后的所述目标文件,所述真实文件系统用于存储加密后的所述目标文件。The redirection module 43 is configured to redirect the operation request to a virtual disk file system or a real file system according to the type of the operation request, the virtual disk file system is used to interact with the real file system, and the virtual The disk file is used to cache the decrypted target file, and the real file system is used to store the encrypted target file.

在一些实施方式中,重定向模块43包括:In some implementations, redirection module 43 includes:

第一重定向单元,用于当所述操作请求的类型为授权操作请求时,将所述操作请求重定向至所述虚拟磁盘文件系统;A first redirecting unit, configured to redirect the operation request to the virtual disk file system when the type of the operation request is an authorized operation request;

第一处理单元,用于基于所述虚拟磁盘文件系统对所述操作请求进行明文处理。The first processing unit is configured to process the operation request in plaintext based on the virtual disk file system.

在一些实施方式中,所述虚拟磁盘文件系统包括虚拟磁盘以及加密文件系统,所述虚拟磁盘用于挂载所述加密文件系统,所述加密文件系统用于从所述真实文件系统读取加密后的所述目标文件进行解密。In some implementations, the virtual disk file system includes a virtual disk and an encrypted file system, the virtual disk is used to mount the encrypted file system, and the encrypted file system is used to read encrypted files from the real file system After the target file is decrypted.

在一些实施方式中,第一处理单元包括:In some embodiments, the first processing unit includes:

第一读取子单元,用于读取所述虚拟磁盘中的影子文件,以获得加密后的所述目标文件在所述真实文件系统中的访问路径;A first reading subunit, configured to read the shadow file in the virtual disk to obtain the encrypted access path of the target file in the real file system;

第二读取子单元,用于基于所述访问路径从所述真实文件系统中读取加密后的所述目标文件;a second reading subunit, configured to read the encrypted target file from the real file system based on the access path;

明文操作子单元,用于利用加密文件系统对加密后的所述目标文件进行解密,并利用所述影子文件对解密结果进行缓存,以对所述目标文件进行明文操作。The plaintext operation subunit is used to decrypt the encrypted target file by using the encrypted file system, and cache the decryption result by using the shadow file, so as to perform plaintext operations on the target file.

在一些实施方式中,第一读取子单元包括:In some embodiments, the first reading subunit comprises:

创建子单元,用于当获取到所述目标文件的授权打开请求时,在所述虚拟磁盘中创建影子文件;Create a subunit, used to create a shadow file in the virtual disk when the authorization opening request for the target file is obtained;

记录子单元,用于在所述影子文件中记录加密后的所述目标文件在所述真实文件系统中的访问路径。The recording subunit is configured to record the encrypted access path of the target file in the real file system in the shadow file.

在一些实施方式中,所述装置还包括:In some embodiments, the device also includes:

清除模块,用于当获取到所述目标文件的授权关闭请求时,在所述虚拟磁盘中清除所述影子文件。A clearing module, configured to clear the shadow file in the virtual disk when the authorization closing request of the target file is obtained.

在一些实施方式中,所述装置还包括:In some embodiments, the device also includes:

第一重定向单元,用于当所述操作请求为非授权操作请求时,将所述操作请求重定向至所述真实文件系统;a first redirecting unit, configured to redirect the operation request to the real file system when the operation request is an unauthorized operation request;

密文操作单元,用于基于所述真实文件系统对所述目标文件进行密文操作。A ciphertext operation unit, configured to perform ciphertext operations on the target file based on the real file system.

本实施例中的透明加密装置是以功能单元的形式来呈现,这里的单元是指ASIC电路,执行一个或多个软件或固定程序的处理器和存储器,和/或其他可以提供上述功能的器件。The transparent encryption device in this embodiment is presented in the form of a functional unit, where the unit refers to an ASIC circuit, a processor and memory that execute one or more software or fixed programs, and/or other devices that can provide the above functions .

上述各个模块的更进一步的功能描述与上述对应实施例相同,在此不再赘述。Further functional descriptions of the above-mentioned modules are the same as those in the above-mentioned corresponding embodiments, and will not be repeated here.

本发明实施例还提供一种电子设备,具有上述图6所示的透明加密装置。An embodiment of the present invention also provides an electronic device having the transparent encryption device shown in FIG. 6 above.

请参阅图7,图7是本发明可选实施例提供的一种电子设备的结构示意图,如图7所示,该电子设备可以包括:至少一个处理器51,例如CPU(Central Processing Unit,中央处理器),至少一个通信接口53,存储器54,至少一个通信总线52。其中,通信总线52用于实现这些组件之间的连接通信。其中,通信接口53可以包括显示屏(Display)、键盘(Keyboard),可选通信接口53还可以包括标准的有线接口、无线接口。存储器54可以是高速RAM存储器(Random Access Memory,易挥发性随机存取存储器),也可以是非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器。存储器54可选的还可以是至少一个位于远离前述处理器51的存储装置。其中处理器51可以结合图6所描述的装置,存储器54中存储应用程序,且处理器51调用存储器54中存储的程序代码,以用于执行上述任一方法步骤。Please refer to FIG. 7. FIG. 7 is a schematic structural diagram of an electronic device provided in an optional embodiment of the present invention. As shown in FIG. 7, the electronic device may include: at least one processor 51, such as a CPU (Central Processing Unit, central processor), at least one communication interface 53, memory 54, and at least one communication bus 52. Wherein, the communication bus 52 is used to realize connection and communication between these components. Wherein, the communication interface 53 may include a display screen (Display) and a keyboard (Keyboard), and the optional communication interface 53 may also include a standard wired interface and a wireless interface. The memory 54 may be a high-speed RAM memory (Random Access Memory, volatile random access memory), or a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory. Optionally, the memory 54 may also be at least one storage device located away from the aforementioned processor 51 . Wherein the processor 51 can be combined with the device described in FIG. 6 , the memory 54 stores an application program, and the processor 51 invokes the program code stored in the memory 54 to execute any of the above method steps.

其中,通信总线52可以是外设部件互连标准(peripheral componentinterconnect,简称PCI)总线或扩展工业标准结构(extended industry standardarchitecture,简称EISA)总线等。通信总线52可以分为地址总线、数据总线、控制总线等。为便于表示,图7中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。Wherein, the communication bus 52 may be a peripheral component interconnect (PCI for short) bus or an extended industry standard architecture (EISA for short) bus or the like. The communication bus 52 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is used in FIG. 7 , but it does not mean that there is only one bus or one type of bus.

其中,存储器54可以包括易失性存储器(英文:volatile memory),例如随机存取存储器(英文:random-access memory,缩写:RAM);存储器也可以包括非易失性存储器(英文:non-volatile memory),例如快闪存储器(英文:flash memory),硬盘(英文:hard diskdrive,缩写:HDD)或固态硬盘(英文:solid-state drive,缩写:SSD);存储器54还可以包括上述种类的存储器的组合。Wherein, the memory 54 may include a volatile memory (English: volatile memory), such as a random-access memory (English: random-access memory, abbreviated as RAM); the memory may also include a non-volatile memory (English: non-volatile memory), such as flash memory (English: flash memory), hard disk (English: hard diskdrive, abbreviated: HDD) or solid-state hard disk (English: solid-state drive, abbreviated: SSD); memory 54 can also include the above-mentioned types of memory The combination.

其中,处理器51可以是中央处理器(英文:central processing unit,缩写:CPU),网络处理器(英文:network processor,缩写:NP)或者CPU和NP的组合。Wherein, the processor 51 may be a central processing unit (English: central processing unit, abbreviated: CPU), a network processor (English: network processor, abbreviated: NP) or a combination of CPU and NP.

其中,处理器51还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(英文:application-specific integrated circuit,缩写:ASIC),可编程逻辑器件(英文:programmable logic device,缩写:PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(英文:complex programmable logic device,缩写:CPLD),现场可编程逻辑门阵列(英文:field-programmable gate array,缩写:FPGA),通用阵列逻辑(英文:generic arraylogic,缩写:GAL)或其任意组合。Wherein, the processor 51 may further include a hardware chip. The aforementioned hardware chip may be an application-specific integrated circuit (English: application-specific integrated circuit, abbreviation: ASIC), a programmable logic device (English: programmable logic device, abbreviation: PLD) or a combination thereof. The above-mentioned PLD can be a complex programmable logic device (English: complex programmable logic device, abbreviation: CPLD), field-programmable logic gate array (English: field-programmable gate array, abbreviation: FPGA), general array logic (English: generic array logic , Abbreviation: GAL) or any combination thereof.

可选地,存储器54还用于存储程序指令。处理器51可以调用程序指令,实现如本申请任一实施例中所示的透明加密方法。Optionally, memory 54 is also used to store program instructions. The processor 51 may invoke program instructions to implement the transparent encryption method as shown in any embodiment of the present application.

本发明实施例还提供了一种非暂态计算机存储介质,所述计算机存储介质存储有计算机可执行指令,该计算机可执行指令可执行上述任意方法实施例中的透明加密方法。其中,所述存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)、随机存储记忆体(Random Access Memory,RAM)、快闪存储器(Flash Memory)、硬盘(Hard DiskDrive,缩写:HDD)或固态硬盘(Solid-State Drive,SSD)等;所述存储介质还可以包括上述种类的存储器的组合。The embodiment of the present invention also provides a non-transitory computer storage medium, the computer storage medium stores computer-executable instructions, and the computer-executable instructions can execute the transparent encryption method in any of the above method embodiments. Wherein, the storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM), a random access memory (Random Access Memory, RAM), a flash memory (Flash Memory), a hard disk (Hard Disk) DiskDrive, abbreviation: HDD) or solid-state disk (Solid-State Drive, SSD), etc.; the storage medium may also include a combination of the above-mentioned types of memory.

虽然结合附图描述了本发明的实施例,但是本领域技术人员可以在不脱离本发明的精神和范围的情况下做出各种修改和变型,这样的修改和变型均落入由所附权利要求所限定的范围之内。Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art can make various modifications and variations without departing from the spirit and scope of the present invention. within the bounds of the requirements.

Claims (10)

1. A transparent encryption method, comprising:
acquiring an operation request of a target file, wherein the operation request carries attribute information of the target file;
determining the type of the operation request based on the attribute information, wherein the type of the operation request comprises an authorized operation request or an unauthorized operation request;
redirecting the operation request to a virtual disk file system or a real file system according to the type of the operation request, wherein the virtual disk file system is used for interacting with the real file system, the virtual disk file is used for caching the decrypted target file, and the real file system is used for storing the encrypted target file.
2. The method of claim 1, wherein redirecting the operation request to a virtual disk file system or a real file system according to the type of the operation request comprises:
when the type of the operation request is an authorized operation request, redirecting the operation request to the virtual disk file system;
and performing plaintext processing on the operation request based on the virtual disk file system.
3. The method according to claim 2, wherein the virtual disk file system comprises a virtual disk and an encrypted file system, the virtual disk is used for mounting the encrypted file system, and the encrypted file system is used for reading the encrypted target file from the real file system for decryption.
4. The method of claim 3, wherein the performing a plaintext operation on the target file based on the virtual disk file system comprises:
reading the shadow file in the virtual disk to obtain an access path of the encrypted target file in the real file system;
reading the encrypted target file from the real file system based on the access path;
and decrypting the encrypted target file by using an encrypted file system, and caching a decryption result by using the shadow file so as to perform plaintext operation on the target file.
5. The method according to claim 4, wherein the reading the shadow file in the virtual disk to obtain the encrypted access path of the target file in the real file system comprises:
when an authorized opening request of the target file is acquired, a file is created in the virtual disk;
and recording an access path of the encrypted target file in the real file system in the shadow file.
6. The method of claim 4, further comprising:
and when the request for closing the authorization of the target file is acquired, the shadow file is cleared in the virtual disk.
7. The method of claim 2, further comprising:
when the operation request is an unauthorized operation request, redirecting the operation request to the real file system;
and carrying out ciphertext operation on the target file based on the real file system.
8. A transparent encryption apparatus, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring an operation request of a target file, and the operation request carries attribute information of the target file;
a determining module, configured to determine a type of the operation request based on the attribute information, where the type of the operation request includes an authorized operation request or an unauthorized operation request;
and the redirection module is used for redirecting the operation request to a virtual disk file system or a real file system according to the type of the operation request, wherein the virtual disk file system is used for interacting with the real file system, the virtual disk file is used for caching the decrypted target file, and the real file system is used for storing the encrypted target file.
9. An electronic device, comprising:
a memory and a processor, the memory and the processor being communicatively connected to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the transparent encryption method of any one of claims 1-7.
10. A computer-readable storage medium storing computer instructions for causing a computer to perform the transparent encryption method of any one of claims 1-7.
CN202210906526.0A 2022-07-29 2022-07-29 Transparent encryption method and device, electronic equipment and storage medium Pending CN115455440A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210906526.0A CN115455440A (en) 2022-07-29 2022-07-29 Transparent encryption method and device, electronic equipment and storage medium
PCT/CN2022/141882 WO2024021496A1 (en) 2022-07-29 2022-12-26 Transparent encryption method and apparatus, electronic device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210906526.0A CN115455440A (en) 2022-07-29 2022-07-29 Transparent encryption method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115455440A true CN115455440A (en) 2022-12-09

Family

ID=84296897

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210906526.0A Pending CN115455440A (en) 2022-07-29 2022-07-29 Transparent encryption method and device, electronic equipment and storage medium

Country Status (2)

Country Link
CN (1) CN115455440A (en)
WO (1) WO2024021496A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024021496A1 (en) * 2022-07-29 2024-02-01 天翼云科技有限公司 Transparent encryption method and apparatus, electronic device, and storage medium
WO2025107641A1 (en) * 2023-11-24 2025-05-30 华为云计算技术有限公司 Data processing method and apparatus

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104200176A (en) * 2014-08-28 2014-12-10 电子科技大学 System and method for carrying out transparent encryption and decryption on file in intelligent mobile terminal
CN105760779B (en) * 2016-02-18 2018-06-22 武汉理工大学 A kind of Two-way File encryption system based on FUSE
US10489600B2 (en) * 2017-04-28 2019-11-26 Dell Products L.P. Access path redirection for encrypted files
CN110569651A (en) * 2019-08-27 2019-12-13 北京明朝万达科技股份有限公司 file transparent encryption and decryption method and system based on domestic operating system
CN115455440A (en) * 2022-07-29 2022-12-09 天翼云科技有限公司 Transparent encryption method and device, electronic equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024021496A1 (en) * 2022-07-29 2024-02-01 天翼云科技有限公司 Transparent encryption method and apparatus, electronic device, and storage medium
WO2025107641A1 (en) * 2023-11-24 2025-05-30 华为云计算技术有限公司 Data processing method and apparatus

Also Published As

Publication number Publication date
WO2024021496A1 (en) 2024-02-01

Similar Documents

Publication Publication Date Title
US7437429B2 (en) System and method for providing transparent access to distributed authoring and versioning files including encrypted files
US9251201B2 (en) Compatibly extending offload token size
CN101986305B (en) File system operating method and communication device
CN103825953B (en) A kind of user model encrypted file system
US10395044B2 (en) Method and apparatus for securing computer mass storage data
US20050278418A1 (en) System and method for use of multiple applications
CN101252585A (en) Method and system for content filtering data using remote file system access protocol
CN115455440A (en) Transparent encryption method and device, electronic equipment and storage medium
CN106063218A (en) Method, apparatus and system for encryption/decryption in virtualization system
US20220269378A1 (en) Persistent State and Organization of Workspaces in User Interfaces
EP3270322B1 (en) Encrypting system level data structures
CN104731635B (en) A kind of virtual machine access control method and virtual machine access control system
US10091213B2 (en) Systems and methods to provide secure storage
US20170228325A1 (en) Retrieving and converting offline data
US20170063855A1 (en) Protocol independent way to selectively restrict write-access for redirected usb mass storage devices
CN111339034A (en) Ciphertext storage plaintext access system, ciphertext storage method and plaintext access method
CN104123371B (en) The method of the transparent filtering of Windows kernel files based on hierarchical file system
US11283768B1 (en) Systems and methods for managing connections
CN114491607A (en) Cloud platform data processing method and device, computer equipment and storage medium
CN116881934B (en) Encryption and decryption method, system and device for data and storage medium
CN117591016A (en) Encrypted volume migration method, encrypted volume migration device, computer equipment and storage medium
JP4150854B2 (en) Access system and client for shared disk device on storage area network
KR20190078198A (en) Secure memory device based on cloud storage and Method for controlling verifying the same
CN113656817A (en) Data encryption method
KR100676674B1 (en) Data input / output acceleration device and its operation method for high speed data input / output

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination